Disinfection
As it's mentioned in the virus, the worm will stop working when the computer's
clock is set to 2004. So, this feature can be used to remove it from the computer.
This can be automated with the date and the shutdown commands, for example:
DATE 01-01-2004
SHUTDOWN -r
This variant uses files named DLLHOST.EXE and SVCHOST.EXE which is a tftp
server. Note that DLLHOST.EXE and SVCHOST.EXE are names of normal Windows
system files.
Those files can be found in the following locations in an infected machine:
The worm file:
%systemDir%\wins\DLLHOST.EXE
The renamed tftp server:
%systemDir%\wins\SVCHOST.EXE
It infects computer using the same vulnerability as the Lovsan worm. Please
refer to Lovsan's description for instructions on patching the security hole:
http://www.f-secure.com/v-descs/msblast.shtml
In addition, Welchi will attempt to infect IIS 5.0 web servers via WebDAV exploit.
For more on this vulnerability found in March 2003, see:
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
Welchi only infects Windows XP machines through the RPC hole and both Windows
2000 and XP machine through the WebDAV hole.
It also tries to disinfect Lovsan.A from the machine and apply the Microsoft
patch to close the RPC hole. For doing so it will attempt to download the patch
from eight different URLs, corresponding to four language versions (English,
Chinese, Simplified Chinese and Korean) for both Windows XP and 2000.
Do note that Welchi doesn't always install the patch successfully. We recommend
that after cleaning Welchi you'd double-check the patch according to the instructions
from Microsoft (see the section File Information):
http://support.microsoft.com/?kbid=823980
When trying to disinfect Lovsan.A it will look for a process with the strings
"msblast" in its name and will proceed to terminate it if found. Then it will
delete the file under the path
%systemdir%\msblast.exe
So, Welchi is an anti-virus-virus.
When run, it will create a mutex named "RpcPatch_Mutex", so there's always only
one active copy of the worm.
Apparently the worm does not modify the Windows Registry as to be launched
automatically.
It contains the string, which is never displayed:
=========== I love my wife & baby :)~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)~~ sorry zhongli~~~====
======= wins
[FSAV_Database_Version]
Version=2003-08-18_03
[Description: Mikko Hypponen and Ero Carrera; 18th of August, 2003]
